Archive for the ‘News’ Category

« Older Entries
Newer Entries »

MOOD-NT – New Linux Kernel Rootkit released

Thursday, November 2nd, 2006

Mood-NT is a linux kernel rootkit suckit2-like for 2.4.x/2.6.x kernels.

It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot.

It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. If the kernel changes it automatically reinstall itself on boot.

Keep Safe,

regards
Steo
www.antirootkit.com

Posted in Linux, New Rootkits, News | No Comments »

Microsoft Vista Kernel Protection is Cracked

Thursday, October 26th, 2006

Security company Authentium has revealed that it has cracked the Vista Kernel Protection called PatchGuard. Microsoft in their recently released half yearly security report said that PatchGuard was created to stop malware like rootkit’s from getting into the kernel where they can hide almost anything on the computer especially Keyloggers and Spyware.

Cracked Vista

 

“Kernel Patch Protection for x64 Windows: Kernel Patch Protection improves security and makes it more difficult for hackers to hide malware, such as rootkit’s, deep in the OS where antimalware technologies may have a more difficult time removing it. ”
Source: Microsoft Security Intelligence Report – January – June 2006

Helmuth Feericks, chief technology officer of Authentium told Reuters recently that his company had found a way to turn off Patchguard, install software and turn it back on again. Although no specific details have been given as to how they were able to turn off Patchguard, it does seem that other people like crafty hackers will soon find their own way and publish it.
The Authentium Blog shows an entry where PatchGuard Kernel Protection is described as “not very useable or useful”. The entry does not go into much detail because of a gag-order from Microsoft. It goes to show that if big Security companies see it as useless then we all will be targets of it’s uselessness.

It is ironic how Microsoft is currently only using PatchGuard on 64 bit Vista as an added security attraction for businesses who are the most likely users of this version of Vista. Ordinary everyday users of the 32 bit version will not have Patchguard protecting them and they could be lucky as this would have given them a false sense of security.

In recent weeks we have seen security companies like McAffee asking Microsoft for access to the Vista kernel so that they can provide HIPS ( Host Intrusion Prevention System ) applications to their 64 bit Vista customers.

Vista Kernel Protection is cracked and it will not be long then until we see Rootkit’s for 64 bit Vista.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in Microsoft, News, Vista | 1 Comment »

Vitriol: The VT-x Rootkit – Another VM Rootkit

Tuesday, October 10th, 2006

We all remember Joanna Rutkowska and the Bluepill Rootkit she demonstrated at the Black Hat conference a few months ago. She demonstrated how a rootkit could be installed using the Hardware Virtualisation provided with an AMD chip. Well now we have a new VM Rootkit called Vitriol which was developed by security specialist Dino Dai Zovi.
Dino will demonstrate Vitrol at Microsoft’s Blue Hat conference in late October.

Vitriol is a VM rootkit for MacOS X using Intel VT-x on Intel Core Duo/Solo. Dino has provided us with a PDF document of the slides he will use at the Blue Hat Conference which by the way is only open to selected security specialists.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in MacOS, New Rootkits, News, VM Rootkits | No Comments »

Microsoft Blocks Vista Rootkit Exploit

Monday, October 9th, 2006

Rootkit researcher Joanna Rutkowska has revealed that Microsoft has blocked the method that she used to install her Bluepill Rootkit.

On her blog Joanna wrote “It quickly turned out that our exploit doesn’t work anymore! The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights.”

She then goes on to say that when she first demonstrated her method at the Black Hat conference recently she gave 3 ways for Microsoft to fix the exploit problem. Microsoft had choosen the easiest option to them and that was to block Raw Disk Access from usermode. This method that Microsoft chose has far reaching affects on software companies that provide Disk Editor software. These companies will now have to have a signed digital driver to access the Raw Disk Access. This also means that an attacker would “borrow” the driver from the Disk Editing Software and use it to bypass the block Microsoft has used.

The other 2 options Joanna gave were to Encrypt the Pagefile and  Disable kernel mode paging. The option Microsoft took does not make the problem go away, it just adds another layer for an attacker to get through.

Well done Microsoft you have just made the attackers work a bit harder and you have also made some look at signed drivers a bit closer and added more info to their malicious info arsenal.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in Microsoft, News, VM Rootkits | No Comments »

E-Cards deliver Rootkits

Friday, September 22nd, 2006

Researchers at Exploit Prevention Labs have discovered a large Cyber Criminal gang operating out of Australia. It was found that nearly every bank in Australia had customers who had their bank details used by the criminals. Users in Australia were send what looked like an eCard from Yahoo. The computer user would click on the eCard and be brought to an Exploit server. The Exploit server would check to see what vulnerabilities the users browser had and would use the hole it found to install a Keylogger and a Rootkit to hide the Keylogger. The Exploit Server was using the Webattacker Script which is updated regularly and can be purchased very easily and cheaply.
The user would then be sent to the Yahoo eCard site so as to make it look like a nothing untoward has happened.

Roger Thompson, Exploit Prevention Labs’ CTO, discovered the Australian eCard scam and has been tracking the evolving threat.
“The user receives an eCard in their email inbox,” said Thompson. “The card appears to come through one of the major eCard companies, so it is assumed to be safe, despite the user not recognizing the sender’s name on the card. The user clicks the link to view the card, which doesn’t tell you who it’s really from, so they just close it and continue with whatever they were doing before. Unfortunately, what’s actually happened is that a rootkit has been delivered to the user’s PC before they even pick up the card.”

“We started tracking MDAC back in June, shortly after WebAttacker was upgraded. Initially, it was just a tiny blip on the radar, registering 0.5% in our Exploit Prevalence Survey for that month. In July, it was up to 3.51%, and last month it reached 6.69%. If that pattern continues, we can expect to see both vendors and traditional anti-malware vendors experiencing significant problems in trying to keep up with the threat.”

This attack goes to show that unless users have all the latest security updates and patches on their computer they have a bigger chance of falling victim to such an attack. No amount of Anti-Virus or Anti-Spyware can thwart such an attack. Even if a user has a fully patched computer they can still get caught by what are called Zero Day attacks. These are attacks on program holes that the program maker is not yet aware of.

The best way to avoid Rootkits getting onto your PC is to run as an ordinary user and not to have any administrator rights.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in E-Cards, News | No Comments »

New AOL IM Worm delivers Rootkit

Monday, September 18th, 2006

A new worm is propagating the AOL Instant Messaging Network. The worm called W32.pipeline was found by Security Experts over at Facetime Security Labs today. The worm arrives as what looks like a picture file but is actually an executable. When executed the worm downloads from a variety of other files including a Rootkit to hide itself. The worm then tries to propagate via the infected users Buddy List.

“Like many IM worms, W32.pipeline first appears as an instant message from a familiar contact, luring users into clicking on a link with a contextual phrase. The IM message “hey would it okay if i upload this picture of you to my blog?” downloads a command file called image18.com, which is disguised as a JPEG. Running the file results in csts.exe being created in the user’s system32 folder, part of the Windows operating system.”

Once installed the worm payload may include sending private information about the infected user back to the attacker, perform Distributed Denial Of Service attacks on websites or sending out spam messages to millions of users worldwide.

Facetime says that the attack seems to be carried out by individuals who want to create a Botnet, a network of computers “owned” by the attacker. Once a member of the Botnet the computer can carry out any operation that the attacker wants.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in Instant Messaging, News | No Comments »

« Older Entries
Newer Entries »